Microsoft Security Bulletin: December 9 2008 Security Bulletin

Advisory overview

Qualys Vulnerability R&D Lab has released new vulnerability checks in the Qualys Cloud Platform to protect organizations against 32 vulnerabilities that were fixed in 9 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.

Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.

Vulnerability details

Microsoft has released 9 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:

WordPad and Office Text Converters Remote Code Execution Vulnerability (MS09-010)

Severity

Urgent 5

Qualys ID

90474

Vendor Reference

MS09-010

CVE Reference

CVE-2008-4841, CVE-2009-0087, CVE-2009-0088, CVE-2009-0235

CVSS Scores

Base 9.3 / Temporal 7.7

Description

WordPad is a default component of Microsoft Windows operating systems. Text converters in WordPad allow users who do not have Microsoft Office Word installed to open documents in various Microsoft Windows file formats. The Microsoft Office WordPerfect 6.x Converter helps users convert documents from Corel WordPerfect 6.x file formats to Microsoft Office Word file formats.
Multiple vulnerabilities listed below have been identified in WordPad and Office Text Converters:
- A memory corruption vulnerability in WordPad and Office Text Converter exists in the way the applications process memory when a user opens a specially crafted Word 6 file that includes malformed data. A remote attacker can exploit this flaw to execute arbitrary code. (CVE-2009-0087)
- A stack-based buffer overflow vulnerability exists when parsing a specially crafted Word 97 document. The vulnerability could allow remote code execution if a user opens a specially crafted Word file that includes a malformed list structure. (CVE-2008-4841)
- A stack corruption vulnerability in Word 2000 WordPerfect 6.x Converter exists in the way that the converter processes memory when parsing a specially crafted WordPerfect document. (CVE-2009-0088)
- A stack-based buffer overflow vulnerability exists in WordPad as a result of memory corruption when a user opens a specially crafted Word file. This can be exploited by a remote attacker to execute arbitrary code. (CVE-2009-0235)
Microsoft has released a security update to address these vulnerabilities by modifying the way that Microsoft Office Word and Office text converters handle opening specially crafted Word 6.0, Windows Write, and WordPerfect documents. It also addresses the vulnerabilities by implementing fixes to WordPad and by preventing WordPad on affected platforms from opening Word 6.0 and Windows Write files.
Windows XP Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
April 2009 Security Updates Are Now Available On the ECE (KB960477, 923561)

Consequence

Successful exploitation of this vulnerability allows an attacker to run arbitrary code as the logged-on user if a specially crafted file is opened in WordPad or Microsoft Office Word. An attacker with administrative rights can take complete control of the affected system and then install programs; view, change, or delete data; or create new accounts with full user rights.

Solution

For Office Users:-
In order to resolve this issue, install following office patches:- "office2000-KB921606-FullFile-ENU.exe, office2003-KB960476-FullFile-ENU.exe, officexp-KB933399-FullFile-ENU.exe" along with windows patches "Windows2000-KB923561-x86-ENU.EXE, WindowsServer2003-KB923561-ia64-ENU.exe, WindowsServer2003-KB923561-x86-ENU.exe, WindowsServer2003.WindowsXP-KB923561-x64-ENU.exe, WindowsXP-KB923561-x86-ENU.exe"

For Non-Office Users:-
In order to resolve this issue, install following Windows patches:- "Windows2000-KB923561-x86-ENU.EXE, WindowsServer2003-KB923561-ia64-ENU.exe, WindowsServer2003-KB923561-x86-ENU.exe, WindowsServer2003.WindowsXP-KB923561-x64-ENU.exe, WindowsXP-KB923561-x86-ENU.exe"

Workaround:
1) Avoid opening or saving Microsoft Office files received from untrusted sources
2) Disable the Word 6 converter by restricting access by applying an access control list to affected converters to ensure that the converter is no longer loaded by WordPad and Office.
Impact of the workaround: Conversion of Word 6 documents to WordPad RTF or Word 2003 documents will no longer work.
3) Disable the Office text converter by restricting access by applying an access list to the affected converter to ensure it is no longer loaded by Microsoft Office Word.
Impact of the workaround: Microsoft Office Word will no longer load WordPerfect documents.
Detailed information on applying access lists to disable Word 6 and Office text converter can be found in Microsoft Security Bulletin MS09-010.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
Microsoft Windows 2000 Service Pack 4
Windows XP Service Pack 2 and Windows XP Service Pack 3
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems
Microsoft Office 2000 Service Pack 3 (Microsoft Office Word 2000 Service Pack 3)
Microsoft Office XP Service Pack 3 (Microsoft Office Word 2002 Service Pack 3)
Microsoft Office Converter Pack
Refer to Microsoft Security Bulletin MS09-010 for further details.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
MS09-010 Microsoft Office 2000 Service Pack 3(Microsoft Office Word 2000 Service Pack 3)
MS09-010 Microsoft Office Converter Pack
MS09-010 Microsoft Office XP Service Pack 3(Microsoft Office Word 2002 Service Pack 3)
MS09-010 Microsoft Windows 2000 Service Pack 4
MS09-010 Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
MS09-010 Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems
MS09-010 Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
MS09-010 Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2
MS09-010 Windows XP Service Pack 2 and Windows XP Service Pack 3
Microsoft Visual Basic Runtime Extended Files Remote Code Execution Vulnerability (MS08-070)

Severity

Critical 4

Qualys ID

90473

Vendor Reference

MS08-070

CVE Reference

CVE-2008-3704, CVE-2008-4252, CVE-2008-4253, CVE-2008-4254, CVE-2008-4255, CVE-2008-4256

CVSS Scores

Base 9.3 / Temporal 7.7

Description

A remote code execution vulnerability exists in DataGrid, FlexGrid, Hierarchical Flexgrid, Windows Common, Charts and Masked Edit ActiveX controls for Visual Basic 6.
An attacker can exploit this vulnerability by constructing a specially-crafted web page and making the user visit this page.

Consequence

An attacker who successfully exploits this vulnerability could gain the same user rights as the logged-on user.

Solution

Refer to MS08-070 for more information.

Patches:
The following are links for downloading patches to fix these vulnerabilities:
MS08-070 Microsoft Office Project 2003 Service Pack 3
MS08-070 Microsoft Office Project 2007
Microsoft Windows GDI+ Remote Code Execution Vulnerability (MS08-071)

Severity

Critical 4

Qualys ID

90469

Vendor Reference

MS08-071

CVE Reference

CVE-2008-2249, CVE-2008-3465

CVSS Scores

Base 9.3 / Temporal 7.3

Description

This security update resolves two vulnerabilities in GDI by modifying the way GDI validates file size parameters and performs integer calculations to prevent overflow conditions.
Windows XP Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
December 2008 Updates are Available (including for XPe SP3 and Standard) (KB956802)

Consequence

Exploitation of either of these vulnerabilities could allow remote code execution if a user opens a specially crafted WMF image file. An attacker who successfully exploits these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Solution

Patch:
Following are links for downloading patches to fix the vulnerabilities:
Microsoft Windows 2000 Service Pack 4:
http://www.microsoft.com/downloads/details.aspx?familyid=3B775FB1-1077-455D-AF4A-4CCB5237974F
Windows XP Service Pack 2:
http://www.microsoft.com/downloads/details.aspx?familyid=2151FBBA-C464-4D1E-82D4-5B096E82BED0
Windows XP Service Pack 3:
http://www.microsoft.com/downloads/details.aspx?familyid=2151FBBA-C464-4D1E-82D4-5B096E82BED0
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2:
http://www.microsoft.com/downloads/details.aspx?familyid=2247F6A5-AA33-4C68-9EA8-A63488D126D3
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2:
http://www.microsoft.com/downloads/details.aspx?familyid=0C396796-0929-4CD2-99E8-3C0F7075A89E
Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2:
http://www.microsoft.com/downloads/details.aspx?familyid=6D5C7D2F-1A82-4CDF-B3F2-B2C2390C6A64
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems:
http://www.microsoft.com/downloads/details.aspx?familyid=1EDB62B4-3D0F-4891-B4B3-8F8BC4E7BDFE
Windows Vista and Windows Vista Service Pack 1:
http://www.microsoft.com/downloads/details.aspx?familyid=CDDF9CF6-BDEB-4429-823A-879387A428D7
Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1:
http://www.microsoft.com/downloads/details.aspx?familyid=73DC3775-B6F0-40F1-BD36-6B5FB80EB2FA
Windows Server 2008 for 32-bit Systems:
http://www.microsoft.com/downloads/details.aspx?familyid=BBED9E8B-E75E-44EF-BA1D-FD6F852C1F67
Windows Server 2008 for x64-based Systems:
http://www.microsoft.com/downloads/details.aspx?familyid=48AECF4C-1296-490D-BA37-A28E3EC19BD6
Windows Server 2008 for Itanium-based Systems:
http://www.microsoft.com/downloads/details.aspx?familyid=9BFE15CD-02FF-45CF-85C8-5FF1E6C1A871
Refer to Micrsoft Security Bulletin MS08-071 for further details.
Microsoft Word Multiple Remote Code Execution Vulnerabilities (MS08-072)

Severity

Critical 4

Qualys ID

110092

Vendor Reference

MS08-072

CVE Reference

CVE-2008-4024, CVE-2008-4025, CVE-2008-4026, CVE-2008-4027, CVE-2008-4028, CVE-2008-4030, CVE-2008-4031, CVE-2008-4837

CVSS Scores

Base 9.3 / Temporal 7.7

Description

Microsoft Word is prone to multiple remote code execution vulnerabilities. The security update addresses the following issues:
- Word Memory Corruption Vulnerability (CVE-2008-4024)
- Word RTF Object Parsing Vulnerability (CVE-2008-4025)
- Word Memory Corruption Vulnerability (CVE-2008-4026)
- Word RTF Object Parsing Vulnerability (CVE-2008-4027)
- Word RTF Object Parsing Vulnerability (CVE-2008-4028)
- Word RTF Object Parsing Vulnerability (CVE-2008-4030)
- Word RTF Object Parsing Vulnerability (CVE-2008-4031)
- Word Memory Corruption Vulnerability (CVE-2008-4837)

Consequence

An attacker who successfully exploits these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Solution

Patch:
Following are links for downloading patches to fix the vulnerabilities:
Microsoft Office 2000 Service Pack 3 (Microsoft Office Word 2000 Service Pack 3):
http://www.microsoft.com/downloads/details.aspx?FamilyId=43e8c4d8-307b-48f6-ac99-a9617421d40a
Microsoft Office XP Service Pack 3 (Microsoft Office Word 2002 Service Pack 3):
http://www.microsoft.com/downloads/details.aspx?FamilyId=3ef41412-50b3-4077-b0e3-9a3704d2f876
Microsoft Office 2003 Service Pack 3 (Microsoft Office Word 2003 Service Pack 3):
http://www.microsoft.com/downloads/details.aspx?FamilyId=45c81c60-4b1b-4246-839b-198ebc4eeae2
2007 Microsoft Office System (Microsoft Office Word 2007):
http://www.microsoft.com/downloads/details.aspx?FamilyId=5b51cb5e-3899-4257-82cf-7e92fa619c37
2007 Microsoft Office System (Microsoft Office Outlook 2007):
http://www.microsoft.com/downloads/details.aspx?FamilyId=5b51cb5e-3899-4257-82cf-7e92fa619c37
2007 Microsoft Office System Service Pack 1 (Microsoft Office Word 2007 Service Pack 1):
http://www.microsoft.com/downloads/details.aspx?FamilyId=5b51cb5e-3899-4257-82cf-7e92fa619c37
2007 Microsoft Office System Service Pack 1 (Microsoft Office Outlook 2007 Service Pack 1):
http://www.microsoft.com/downloads/details.aspx?FamilyId=5b51cb5e-3899-4257-82cf-7e92fa619c37
Microsoft Office Word Viewer 2003 Service Pack 3:
http://www.microsoft.com/downloads/details.aspx?FamilyId=70de7c3c-519f-4f4a-a03f-027f80b5415c
Microsoft Office Word Viewer:
http://www.microsoft.com/downloads/details.aspx?FamilyId=70de7c3c-519f-4f4a-a03f-027f80b5415c
Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats:
http://www.microsoft.com/downloads/details.aspx?FamilyId=55430121-4476-48b8-9f6f-4a60fa0b2970
Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1:
http://www.microsoft.com/downloads/details.aspx?FamilyId=55430121-4476-48b8-9f6f-4a60fa0b2970
For a complete list of patch download links, please refer to Micrsoft Security Bulletin MS08-072.
Microsoft Internet Explorer Cumulative Security Update (MS08-073)

Severity

Critical 4

Qualys ID

100064

Vendor Reference

MS08-073

CVE Reference

CVE-2008-4258, CVE-2008-4259, CVE-2008-4260, CVE-2008-4261

CVSS Scores

Base 9.3 / Temporal 6.9

Description

This critical security update resolves vulnerabilities existing in Microsoft Internet Explorer, including the following: parameter validation memory corruption vulnerability, HTML objects memory corruption vulnerability, uninitialized memory corruption, and HTML rendering memory corruption vulnerability.
Windows XP Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
December 2008 Updates are Available (including for XPe SP3 and Standard) (KB958215)

Consequence

An attacker who successfully exploits these vulnerabilities could gain the same user rights as the logged-on user.

Solution

Patch:
Following are links for downloading patches to fix the vulnerabilities:
Microsoft Windows 2000 Service Pack 4 (Microsoft Internet Explorer 5.01 Service Pack 4):
http://www.microsoft.com/downloads/details.aspx?familyid=c242ba42-556b-4c87-bf33-9d99166ff096
Microsoft Windows 2000 Service Pack 4 (Microsoft Internet Explorer 6 Service Pack 1):
http://www.microsoft.com/downloads/details.aspx?familyid=c0583745-7e57-4265-9429-c3415cb8465f
Windows XP Service Pack 2 and Windows XP Service Pack 3 (Microsoft Internet Explorer 6):
http://www.microsoft.com/downloads/details.aspx?familyid=af9a6cb0-725d-490c-9858-16ec40e98560
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 (Microsoft Internet Explorer 6):
http://www.microsoft.com/downloads/details.aspx?familyid=60bf9851-24fe-4658-8333-d353e82063c7
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 (Microsoft Internet Explorer 6):
http://www.microsoft.com/downloads/details.aspx?familyid=d53adf6f-9501-4862-a1ca-57eb4d40cd75
Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 (Microsoft Internet Explorer 6):
http://www.microsoft.com/downloads/details.aspx?familyid=5e37cb34-32be-4bbe-87f3-c4e1974e4d00
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems (Microsoft Internet Explorer 6):
http://www.microsoft.com/downloads/details.aspx?familyid=0da4e424-4682-4401-a226-7d8f1be19d44
Windows XP Service Pack 2 and Windows XP Service Pack 3 (Windows Internet Explorer 7):
http://www.microsoft.com/downloads/details.aspx?familyid=1b582695-b3cc-4c65-bc4b-d673c9a6d82a
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 (Windows Internet Explorer 7):
http://www.microsoft.com/downloads/details.aspx?familyid=107cf54b-29d4-4c54-b091-2b5b3ffbf49d
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 (Windows Internet Explorer 7):
http://www.microsoft.com/downloads/details.aspx?familyid=9cdd4f9e-c578-405c-af9e-628f2d77fdf4
For a complete list of patch download links, please refer to Micrsoft Security Bulletin MS08-073.
Microsoft Excel Multiple Remote Code Execution Vulnerabilities (MS08-074)

Severity

Critical 4

Qualys ID

110090

Vendor Reference

MS08-074

CVE Reference

CVE-2008-4264, CVE-2008-4265, CVE-2008-4266

CVSS Scores

Base 9.3 / Temporal 6.9

Description

Microsoft Excel is prone to multiple remote code execution vulnerabilities. The security update addresses the following issues:
- Excel File Format Parsing Vulnerability when loading formulas (CVE-2008-4264)
- Excel File Format Parsing Vulnerability when loading records (CVE-2008-4265)
- Excel Global Array Memory Corruption Vulnerability (CVE-2008-4266)

Consequence

An attacker who successfully exploits these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Solution

Patch:
Following are links for downloading patches to fix the vulnerabilities:
Microsoft Office 2000 Service Pack 3 (Microsoft Office Excel 2000 Service Pack 3):
http://www.microsoft.com/downloads/details.aspx?FamilyId=f39d2a49-f861-4f2d-bf91-94a8a85af40c
Microsoft Office XP Service Pack 3 (Microsoft Office Excel 2002 Service Pack 3):
http://www.microsoft.com/downloads/details.aspx?FamilyId=72076e21-2aa3-48e8-883a-c3cb756fc72a
Microsoft Office 2003 Service Pack 3 (Microsoft Office Excel 2003 Service Pack 3):
http://www.microsoft.com/downloads/details.aspx?FamilyId=6c0771e5-fcd4-4365-b903-1a3bd95d9e66
2007 Microsoft Office System (Microsoft Office Excel 2007):
http://www.microsoft.com/downloads/details.aspx?FamilyId=68bb8d99-f28b-4efd-9314-3eee0bb00ccf
2007 Microsoft Office System Service Pack 1 (Microsoft Office Excel 2007 Service Pack 1):
http://www.microsoft.com/downloads/details.aspx?FamilyId=68bb8d99-f28b-4efd-9314-3eee0bb00ccf
Microsoft Office Excel Viewer 2003:
http://www.microsoft.com/downloads/details.aspx?FamilyId=4b3989ef-02b8-4bd2-b2ab-c3716079936e
Microsoft Office Excel Viewer 2003 Service Pack 3:
http://www.microsoft.com/downloads/details.aspx?FamilyId=4b3989ef-02b8-4bd2-b2ab-c3716079936e
Microsoft Office Excel Viewer:
http://www.microsoft.com/downloads/details.aspx?FamilyId=9dbb35c1-aa7a-481b-a330-8ba916ddd443
Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats:
http://www.microsoft.com/downloads/details.aspx?FamilyId=99cca4ed-f1f9-4cfd-a986-edbec82ced4f
Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1:
http://www.microsoft.com/downloads/details.aspx?FamilyId=99cca4ed-f1f9-4cfd-a986-edbec82ced4f
Microsoft Office 2004 for Mac:
http://www.microsoft.com/downloads/details.aspx?FamilyId=ECA13AD8-62AE-41A8-B308-41E2D1773820
For a complete list of patch download links, please refer to Micrsoft Security Bulletin MS08-074.
Microsoft Windows Search Remote Code Execution Vulnerability (MS08-075)

Severity

Critical 4

Qualys ID

90471

Vendor Reference

MS08-075

CVE Reference

CVE-2008-4268, CVE-2008-4269

CVSS Scores

Base 8.5 / Temporal 6.3

Description

Microsoft Windows Search allows instant search capabilities for data and files. Microsoft Windows Search is a standard component of Windows Vista and Windows Server 2008 that is enabled by default.
Microsoft Search is prone to a remote code execution vulnerability if a user opens and saves a specially-crafted saved search file within Windows Explorer, or if a user clicks a specially-crafted search URL. This is because Windows Explorer does not correctly free memory when saving Windows Search files and does not correctly interpret parameters when parsing the search-ms protocol.

Consequence

An attacker who successfully exploits these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Solution

Patch:
Following are links for downloading patches to fix the vulnerabilities:
Windows Vista and Windows Vista Service Pack 1:
http://www.microsoft.com/downloads/details.aspx?familyid=0DCC5373-0435-42D5-864D-298E5BB122D9
Windows Vista and Windows Vista Service Pack 1:
http://www.microsoft.com/downloads/details.aspx?familyid=5B1B65F0-6848-47C6-BDD5-BE3C0621B323
Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1:
http://www.microsoft.com/downloads/details.aspx?familyid=2112C5C8-7C9F-4491-B127-B1093085E105
Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1:
http://www.microsoft.com/downloads/details.aspx?familyid=EB1D0FFE-1644-457B-9E82-768BD4C7F7AB
Windows Server 2008 for 32-bit Systems:
http://www.microsoft.com/downloads/details.aspx?familyid=90AB7E6F-5AE7-4F55-8838-868FC98D8A16
Windows Server 2008 for 32-bit Systems:
http://www.microsoft.com/downloads/details.aspx?familyid=470D506F-77AE-4A44-8598-DF645F484295
Windows Server 2008 for x64-based Systems:
http://www.microsoft.com/downloads/details.aspx?familyid=E1DEAB57-ADA2-4B12-9157-5615E7B0071D
Windows Server 2008 for x64-based Systems:
http://www.microsoft.com/downloads/details.aspx?familyid=E41F23E4-6A2F-4EBB-B425-D241A08DA316
Windows Server 2008 for Itanium-based Systems:
http://www.microsoft.com/downloads/details.aspx?familyid=48BED90D-C243-4969-8E54-326D9A7AF343
Windows Server 2008 for Itanium-based Systems:
http://www.microsoft.com/downloads/details.aspx?familyid=83DE2263-DE2A-4C13-96BA-ECFEBDAF0BB9
Refer to Micrsoft Security Bulletin MS08-075 for further details.
Microsoft Windows Media Components Remote Code Execution Vulnerability (MS08-076)

Severity

Critical 4

Qualys ID

90470

Vendor Reference

MS08-076

CVE Reference

CVE-2008-3009, CVE-2008-3010

CVSS Scores

Base 10 / Temporal 7.4

Description

This security update addresses two vulnerabilities in the following Windows Media components: Windows Media Player, Windows Media Format Runtime, and Windows Media Services.
The security update addresses the first vulnerability by modifying the way that Windows Media authentication replies are validated. The security update addresses the second vulnerability by ensuring that Windows Media clients treat servers using ISATAP addresses as external.
Windows XP Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
January 2009 Security Updates for Runtimes Are Available (KB952069)
December 2008 Updates are Available (including for XPe SP3 and Standard) (KB954600)

Consequence

The most severe vulnerability could allow remote code execution. If a user is logged on with administrative user rights, an attacker who successfully exploits this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights

Solution

Patch:
Following are links for downloading patches to fix the vulnerabilities:
Microsoft Windows 2000 Server Service Pack 4 (Windows Media Player 6.4):
http://www.microsoft.com/downloads/details.aspx?FamilyId=C33D558E-45F9-4E85-B48C-03BD0E8CB4BC
Windows XP Service Pack 2 and Windows XP Service Pack 3 (Windows Media Player 6.4):
http://www.microsoft.com/downloads/details.aspx?FamilyId=99241309-E644-4088-A8F3-38837FAB4037
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 (Windows Media Player 6.4):
http://www.microsoft.com/downloads/details.aspx?FamilyId=946D47C9-B208-4FAB-8EF6-774413D61BC8
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 (Windows Media Player 6.4):
http://www.microsoft.com/downloads/details.aspx?FamilyId=2315CE20-2F46-42C2-BB40-045F003409D7
Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 (Windows Media Player 6.4):
http://www.microsoft.com/downloads/details.aspx?FamilyId=4C29BED9-1B88-4D2F-80A5-305C2BEDD89F
Microsoft Windows 2000 Service Pack 4 (Windows Media Format Runtime 7.1 and Windows Media Format Runtime 9.0):
http://www.microsoft.com/downloads/details.aspx?FamilyId=6A459497-0AB8-41CB-87D0-B551631D8D8A
Windows XP Service Pack 2 (Windows Media Format Runtime 9.0, Windows Media Format Runtime 9.5, and Windows Media Format Runtime 11):
http://www.microsoft.com/downloads/details.aspx?FamilyId=504F816C-F554-4B93-AC28-B085574D9BAC
Windows XP Service Pack 3 (Windows Media Format Runtime 9.0, Windows Media Format Runtime 9.5, and Windows Media Format Runtime 11):
http://www.microsoft.com/downloads/details.aspx?FamilyId=AD76FCF3-A2F9-4E36-BD1B-C1536749173C
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 (Windows Media Format Runtime 9.5):
http://www.microsoft.com/downloads/details.aspx?FamilyId=644EF023-EE40-45B0-9C9D-C76D9FAB0005
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 (Windows Media Format Runtime 9.5 x64 Edition):
http://www.microsoft.com/downloads/details.aspx?FamilyId=AE9E8B07-5354-42F3-A226-BA2193244524
For a complete list of patch download links, please refer to Micrsoft Security Bulletin MS08-076.
Microsoft Office SharePoint Server Privilege Elevation Vulnerability (MS08-077)

Severity

Critical 4

Qualys ID

90472

Vendor Reference

MS08-077

CVE Reference

CVE-2008-4032

CVSS Scores

Base 7.5 / Temporal 5.9

Description

This security update resolves a privately reported vulnerability in Microsoft Office SharePoint Server.

Consequence

The vulnerability could allow elevation of privilege if an attacker bypasses authentication by browsing to an administrative URL on a SharePoint site. A successful attack leading to elevation of privilege could result in denial of service or information disclosure.

Solution

Patch:
Following are links for downloading patches to fix the vulnerabilities:
Microsoft Office SharePoint Server 2007 (32-bit editions):
http://www.microsoft.com/downloads/details.aspx?familyid=f8f73997-6f4c-4b43-aa50-5c8276e83d3e
Microsoft Office SharePoint Server 2007 Service Pack 1 (32-bit editions):
http://www.microsoft.com/downloads/details.aspx?familyid=f8f73997-6f4c-4b43-aa50-5c8276e83d3e
Microsoft Office SharePoint Server 2007 (64-bit editions):
http://www.microsoft.com/downloads/details.aspx?familyid=a7fda284-273c-42ab-8188-433beaacca86
Microsoft Office SharePoint Server 2007 Service Pack 1 (64-bit editions):
http://www.microsoft.com/downloads/details.aspx?familyid=a7fda284-273c-42ab-8188-433beaacca86
Microsoft Search Server 2008 (32-bit editions):
http://www.microsoft.com/downloads/details.aspx?familyid=f8f73997-6f4c-4b43-aa50-5c8276e83d3e
Microsoft Search Server 2008 (64-bit editions):
http://www.microsoft.com/downloads/details.aspx?familyid=a7fda284-273c-42ab-8188-433beaacca86
Refer to Micrsoft Security Bulletin MS08-077 for further details.

These new vulnerability checks are included in Qualys vulnerability signature 1.22.76-4. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.

Selective Scan Instructions Using Qualys

To perform a selective vulnerability scan, configure a scan profile to use the following options:

Ensure access to TCP ports 135 and 139 are available.
Enable Windows Authentication (specify Authentication Records).
Enable the following Qualys IDs:
- 90474
- 90473
- 90469
- 110092
- 100064
- 110090
- 90471
- 90470
- 90472
If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.

In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.

Access for Qualys Customers

Platforms and Platform Identification

Technical Support

For more information, customers may contact Qualys Technical Support.

About Qualys

The Qualys Cloud Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.

Asset Management

IT Security

Compliance

Cloud-native Security

Web App Security

Customers

Partners

Company

Support

Qualys Cloud Platform

Free Services

Asset Management

IT Security

Compliance

Cloud-Native Security

Web App Security

Qualys Cloud Platform

Free Services

Microsoft security alert.

December 9, 2008

Advisory overview

Vulnerability details

WordPad and Office Text Converters Remote Code Execution Vulnerability (MS09-010)

Microsoft Visual Basic Runtime Extended Files Remote Code Execution Vulnerability (MS08-070)

Microsoft Windows GDI+ Remote Code Execution Vulnerability (MS08-071)

Microsoft Word Multiple Remote Code Execution Vulnerabilities (MS08-072)

Microsoft Internet Explorer Cumulative Security Update (MS08-073)

Microsoft Excel Multiple Remote Code Execution Vulnerabilities (MS08-074)

Microsoft Windows Search Remote Code Execution Vulnerability (MS08-075)

Microsoft Windows Media Components Remote Code Execution Vulnerability (MS08-076)

Microsoft Office SharePoint Server Privilege Elevation Vulnerability (MS08-077)

Selective Scan Instructions Using Qualys

Access for Qualys Customers

Technical Support

About Qualys